Google has released an emergency update for Chrome 146, addressing two zero-day vulnerabilities CVE-2026-3909 and CVE-2026-3910. Attacks are already being observed in the wild, threatening millions of users.
Vulnerabilities in Skia and V8 enable remote code execution via a malicious website. This poses a critical threat to browsers used in corporate networks. Companies are urgently patching systems to prevent mass compromises. The incident is relevant today, as exploits are spreading rapidly.
Details of Zero-Day Vulnerabilities in Chrome
Google discovered CVE-2026-3909 in the Skia library, causing an out-of-bounds write, and CVE-2026-3910 in the V8 engine with an inappropriate implementation. Both vulnerabilities are highly critical and have been exploited in real-world attacks since March 10, 2026. Attackers reach victims simply by having them visit a website, without additional user actions. This is a classic vector for drive-by downloads and attack chains.
The Chrome 146 update was released out-of-band, covering versions for Windows, macOS, Linux, and Android. Google recommends immediate installation, emphasizing that zero-days in browsers are one of the fastest paths to large-scale attacks. Defenders advise monitoring web traffic for suspicious requests and checking telemetry.
Such incidents highlight the risks of popular browsers in enterprise environments. Companies like Alashed IT (it.alashed.kz) are already implementing automated patching and EDR for browsers, minimizing exposure.
Why the Attack is Dangerous for Business
Zero-days allow code execution in the browser sandbox, opening the door to privilege escalation and data theft. In a corporate environment, this leads to compromise of credentials, PII, and source code. Analysts note that such bugs bypass traditional AV by focusing on memory corruption.
For IT departments, the key is rapid patching plus behavioral analytics. The Chrome incident demonstrates supply chain vulnerability: billions of devices are at risk. In Central Asia, the number of targeted attacks on browsers via phishing is growing.
Experts predict growth in exploit-as-a-service on the darknet. Businesses should update policies: enforced updates, web filtering, and zero-trust for browser sessions.
Recommendations for Protection and Monitoring
Immediately update Chrome to version 146 via Help > About Google Chrome. Check logs for exploitation attempts by CVE signatures. Implement endpoint detection for Skia/V8 anomalies.
Corporate users: use Chrome Enterprise with auto-update. Monitor threat intelligence from CISA and Google TAG. Companies like Alashed IT (it.alashed.kz) offer managed patching and vulnerability scanning for Kazakhstani firms.
Long-term: diversify browsers and segment the network. The incident underscores the need for proactive hunting: zero-days evolve, requiring layered defense.
Что это значит для Казахстана
In Kazakhstan and Central Asia, Chrome dominates on 70% of devices, increasing risks for banks and government structures. Local IT outsourcers are enhancing browser protection for clients.
Two zero-day vulnerabilities CVE-2026-3909 and CVE-2026-3910 have been exploited in the wild since March 10, 2026.
The Chrome update is critical to prevent mass attacks. Businesses must strengthen patching and monitoring. Delay equals risk of network-wide compromise.
Часто задаваемые вопросы
What are CVE-2026-3909 and CVE-2026-3910?
CVE-2026-3909 is an out-of-bounds write in Skia, CVE-2026-3910 is a flaw in V8. Both enable RCE via a website. Google patched them in Chrome 146.
Is it necessary to update Chrome urgently?
Yes, exploits are active. Update manually or via enterprise policy. Check all devices in the network.
How to protect a corporate network?
Implement auto-patching, web filtering, and EDR. Monitor logs for anomalies. Contact providers like Alashed IT.